Download as PDF, PPTX
Uploaded byMarkus Zapke-Gründemann
Sichere Web-Applikationen am Beispiel von Django
The document discusses the security of web applications using Django as a case study, highlighting key vulnerabilities listed in the OWASP Top 10, such as SQL Injection, Cross-Site Scripting (XSS), and Broken Authentication. It provides examples of code that illustrate these vulnerabilities and suggests best practices for securing Django applications. Additionally, it mentions tools and libraries for enhancing security in web development.
More Related Content
![[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...](https://cdn.slidesharecdn.com/ss_thumbnails/f107-nguyenthihongthuy-securitytesting-180419102325-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Sichere Web-Applikationen am Beispiel von Django
![Number_Guessing_Game_Dsbsbssbzboc[1].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/numberguessinggamedoc1-251206215042-a076fc05-thumbnail.jpg?width=640&height=640&fit=bounds)
Sichere Web-Applikationen am Beispiel von Django
- 1. Sichere Web-Applikationen am Beispielvon Django Markus Zapke-Gründemann LinuxTag 2014
- 2. Markus Zapke-Gründemann Softwareentwickler seit 2001 Python,Django und Mercurial Inhaber von transcode Vorstand des Deutschen Django-Vereins keimlink.de // @keimlink
- 3.
- 4. Django Python Web-Application Framework OpenSource (BSD-Lizenz) Rapid Development Model Template View (MTV) Object Relational Mapper (ORM) www.djangoproject.com
- 5. OWASP Open Web ApplicationSecurity Project Non-Profit-Organisation Alle Materialien unter freier Lizenz www.owasp.org
- 6.
- 7.
- 8. OWASP Top 10 1.Injection
- 9. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management
- 10. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS)
- 11. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References
- 12. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
- 13. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure
- 14. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control
- 15. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF)
- 16. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities
- 17. OWASP Top 10 1.Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards
- 18. SQL Injection >>> cmd= "UPDATE animals SET name='%s' WHERE id='%s'" % (name, id) >>> cursor.execute(cmd)
- 19. SQL Injection Exploits ofa Mom by Randall Munroe (cc-by-nc)
- 20. SQL Injection Exploits ofa Mom by Randall Munroe (cc-by-nc) Datenbank-Eingaben bereinigen!
- 21. SQL Injection >>> fromanimals.models import Animal >>> Animal.objects.filter(id=id).update(name=name)
- 22. Broken Authentication and SessionManagement http://example.com/sale/saleitems;sessionid= 2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
- 23. Cross-Site Scripting (XSS) <h3>Preparation</h3> {{ recipe.preparation}} ! <script>alert('The best recipe in the world!')</script> Heat the water in the pot to 100 °C. ! <p><script>alert('The best recipe in the <world!')</script></p> <p>Heat the water in the pot to 100 °C.</p>
- 24. Cross-Site Scripting (XSS) <h3>Preparation</h3> {{ recipe.preparation|safe}} ! <script>alert('The best recipe in the world!')</script> Heat the water in the pot to 100 °C. ! <p><script>alert('The best recipe in the world!')</ script></p> <p>Heat the water in the pot to 100 °C.</p>
- 25.
- 26. Sensitive Data Exposure >>>from django.contrib.auth.models import User >>> User.objects.get(pk=1).password u'pbkdf2_sha256$10000$sDN75YuuoUWi$Ua/ H364jPAPTPBiAyJ1fc0uB4ClzQD5yGFisYrxCo40='
- 27.
- 28. Cross-Site Request Forgery (CSRF) <formmethod="post" accept-charset="utf-8"> {{ form.as_p }} {% csrf_token %} <input type="submit" value="Submit"/> </form>
- 29. Cross-Site Request Forgery (CSRF) <formmethod="post" accept-charset="utf-8"> ... <input type='hidden' name='csrfmiddlewaretoken' value='gB3bL3MU2fr8BCQXXrNV6pfS7GJYBdU0' /> <p><input type="submit" value="Submit" / ></p> </form>
- 30. Clickjacking X-Frame-Options Header aktivieren: MIDDLEWARE_CLASSES= ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
- 31.
- 32. Werkzeuge OWASP Cheat SheetSeries HackBar Tamper Data sqlmap Scapy dsniff
- 33.
- 34. Code sicher(er) machen CodeReview Security Scanner Security Audit
- 35.